Encryption strategies for preventing laptop data leaks

Encrypted password databases
Programs that selectively encrypt usernames, passwords, account numbers and related tidbits have been available for years. Consumers who do not already encrypt their personal data should seriously consider free programs like Password Safe and KeePass. But this ad hoc approach is of little utility to employers because it depends on inherently...

BROWSE BY TAG Network Security Tactics,   Enterprise Data Protection,   Disk Encryption and File Encryption,   Identity Theft and Data Security Breaches,   VIEW ALL TAGS

RELATED CONTENT Network Security Tactics What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler How to provide access to Web content (while ensuring network security) Disk Encryption and File Encryption No major PCI DSS revision expected in 2010 How to use TrueCrypt for disk encryption The future of PCI DSS encryption requirements? Tokenization for PCI What are the top three network intrusion techniques? Health Net healthcare data breach affects1.5 million Prevent meet-in-the-middle attacks with TDES encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

unreliable users to decide what should be encrypted and when. It cannot ensure that sensitive data always gets protected, and thus cannot prove that private data was never exposed.

File and folder encryption
To meet those needs, most businesses will choose IT-administered stored data protection, based on file/folder encryption, full-disk encryption or some combination thereof. File/folder encryption is also selective, but encrypts files automatically, based on defined attributes like file location (e.g., folder), file type (e.g., spreadsheets) or source application (e.g., everything Excel touches).

For example, the Windows Encrypting File System (EFS) is Microsoft's basic file/folder encryption tool. It can be centrally activated by using Active Directory Group Policy Objects to encrypt specified files or folders. However, EFS still relies on sensitive data being written into protected locations, and cannot stop users from copying encrypted files to unencrypted locations (e.g., thumb drives).

More sophisticated file/folder encryption products do more. For example, some offer stronger policies that make data leakage less likely, provide reports that document compliance after a laptop goes missing and can apply a consistent encryption platform and policy to heterogeneous devices, e.g. PCs, PDAs and removable storage.

Full-disk encryption
For general purpose computers, the other popular approach is to simply encrypt everything stored on a physical disk or a logical volume. The goal is to ensure that nothing is ever written to storage without being encrypted. That includes not only sensitive user data, but also application and operating system files.

An example of volume encryption is the BitLocker feature in Windows Vista. It divides a PC's boot drive into an unencrypted boot volume and an encrypted operating system volume, which is unlocked and verified at boot time using a Trusted Platform Module (TPM) chip, USB key or recovery passphrase. But data written to non-OS volumes is still unprotected, although it can optionally be encrypted using EFS.

More comprehensive full-disk encryption (FDE) scrambles the entire hard drive's contents, including boot sectors, swap files, OS files and user data. Authentication, encryption, provisioning and reporting capabilities vary, but enterprise FDE products offer features like Windows single sign-on and central logging for security audit and compliance reporting.

Comparing alternatives
The main weakness of file/folder encryption is the possibility of data leakage. So why doesn't everyone use full-disk encryption? For starters, encrypting an entire disk can take hours -- not including the time required to make a full system backup first. Thereafter, all data will be encrypted "on the fly," slowing overall system performance to some (not necessarily noticeable) degree.

Some FDE pre-boot authentication methods interfere with other programs that may also be used on the protected system, from asset-tracking products to sign-on processes that modify the Windows graphical identification and authentication library (GINA). Moreover, desktop administration, patching and auditing tools and practices may be affected, since they cannot unlock encrypted system files without the user's credentials. If a protected system is corrupted or damaged, data recovery can be similarly affected. Finally, when routine backups are created, it's wise to encrypt those too.

Combining methods can enable an organization to obtain the best of both worlds. For example, use file/folder encryption on less capable devices like PDAs, while applying FDE to laptops. Applying both methods to the same device might seem like overkill, but it is a viable option, particularly for mobile users who carry regulated data. FDE offers foolproof protection against device loss or theft, while file/folder encryption can protect sensitive user data without obscuring files that IT requires to perform maintenance and recovery tasks.

Of course, the decision will also be influenced by workforce size and budget, privacy needs, risk tolerance and company politics. For more about deployment considerations, best practices, and enterprise experiences with laptop encryption, I recommend the following:

• "Emerging Technologies," Information Security Magazine, July/August 2007
• "Implementation Advice for Mobile Data Protection," Gartner, March 2007
• "Securing Laptops with Full Disk Encryption," IDC, January 2007

About the author:
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.